In this post, we explore who is behind the purchase and corruption of the Display Widgets plugin and at least two other popular WordPress plugins.

As part of my research into the sale of the Display Widgets plugin and the subsequent spam that appeared in it, I had reached out to Stephanie Wells, the original author of Display Widgets who sold it. Stephanie got back to me moments after I hit the publish button on our post.

We had a chat on Skype and she was incredibly concerned, helpful and forthcoming with data to try and clear up what exactly happened here. Steph has kindly agreed to let me share the details of their transaction with the WordPress community.

I was really excited because this allowed us to follow the money in our investigation into who is behind the spam in Display Widgets. Little did I know that this would lead to two other plugins and shed light on a story we wrote about last year.

Following The Money

Steph confirmed that they had sold the Display Widgets plugin to “Mason Soiza” for $15,000. He had approached them via their web contact form. This is the original email they received, complete with spelling errors:

–Begin email–

We would like to purchase this plugin from you and take complete owner ship of it and take away the stress from you.

We are trying to build one of the largest wordpress plugin companies and in doing this we are trying to purchase some rather large plugins like yours.

I am wondering if me and my team would be able to purchase this plugin from you and then take over the complete development of it and push out a new update to make it work better with the latest wordpress.

We will also put our admin team onto the support forum and make sure the users are happy and if there are any features they are specifically asking for we will get them added in to the next update.

We have over 34 Plugins that we now own and manage.

–End email–

During their negotiations they received a further email from Soiza on April 24th which read:

–Begin email–

We have 1 plugin per account as WordPress do not really like the fact that people sell or buy the plugins so this protects us as the buyer from one of the previous owners from “snitching” and then crashing all our other plugins.

I can name drop a few however:

https://wordpress.org/plugins/wp-slimstat/ <– managed by Dinohttps://wordpress.org/plugins/finance-calculator-with-application-form/ <– bought 2 days ago as we have a great concept on growing htis and really wanted the name “Finance Calculator” still needs the designer to jump on.https://en-gb.wordpress.org/plugins/404-to-301/<– bought this a few weeks back still in process of transferring , they have had bad press in the past so we want to fix it and also improve on the current version in terms of “auto 404 fix”.

We have many others but these are most recent.

To be brutally honest,

It helps with our web business that is pretty big in the casino industry, when we can use as a sales tactic “Our code is used on over 30million websites” world wide etc etc. Sounds silly but it goes along way in our industry, especially as we need to evident our statements by law.

–End email–

Notice I’ve marked the “404 to 301” plugin in red. We’ll come back to that.

The plugin was no longer a core part of Steph and her husband’s business, so they decided to sell it.

The paypal transaction from May 19th, 2017 to purchase Display Widgets reads: “Mason Soiza (pp@linkrocket.net) made a $15,000.00 USD payment“

The contract that Steph received is signed by Mason Soiza.

On June 21st, the first release of Display Widgets under the new author went out. Then on June 30th there was a second release, version 2.6.1, which included the malicious code we covered in part 1 of this series of posts. To remind you, this code allowed the new plugin author – Soiza, in this case – to publish spam content on any site running Display Widgets. There were approximately 200,000 sites using Display Widgets at the time.

The Trac ticket that Calvin Ngan opened 7 weeks ago, which was the first report of the malicious code and activity in Display Widgets, reported Payday Loan spam. This is an important fact, as you’ll see below.

Who Is Mason Soiza?

The contract that Stephanie received is signed by Mason Soiza. The company name used on the contact is:

The address is a complete match to the address and company name provided on the invoice. The company has one corporate officer, Mason Reece Soiza, born March 1994 (age 23), a British citizen, appointed to the board on December 6th, 2016. His occupation is listed as Computer Programmer.

The email that Soiza used in the transaction is pp@linkrocket.net. If we visit the site linkrocket.net, it doesn’t provide much other than a logo. However, if we look at an archived version of it from May 2014, three emails appear on the home page, and we get Mason Soiza’s real email address, which is mason@linkrocket.net.

SIML is an “introducer appointed representative” of Quint Group Limited.

SIML is entered on the Financial Services Register in the UK under reference number 748266

Quint Group Limited is entered on the Financial Services Register under reference number 669450

SIML’s company number is 09861376

Lets go to the Financial Services Register and look up SIML’s reference number. We find it listed as follows. You can click the image for a larger version which opens in a new tab.

And on the FCA we find the email address mason@inkrocket.net. This may be a typo because the domain ‘inkrocket.net’ doesn’t actually exist. The actual domain should probably be (l)inkrocket.net.

Who Does Soiza Represent?

Based on data from the UK’s Financial Conduct Authority, “Soiza Internet Marketers Limited” is authorized to introduce clients to Quint Group Limited. Quint provides the financial services that Soiza is selling.

Soiza also operates www.unsecuredloans4u.co.uk which is also reselling Quint’s financial products.

I phoned Quint in the UK and was escalated to their compliance director, Graham McGifford, who was very responsive. He told me that Quint does have standards they require their representatives to adhere to and they will take action if needed.

Quint confirmed that Mason Soiza is an authorized representative, or ‘introducer,’ as the FCA’s website calls it.

Graham requested that I send him more information so that they can look into the matter. We will be forwarding this blog post.

Linking Mason Soiza to the 404 to 301 Plugin Spam

You will recall that in Soiza’s own email to Steph (above) which he sent in April of this year while negotiating the purchase of the Display Widgets plugin, he mentioned that he bought the 404 to 301 plugin:

https://en-gb.wordpress.org/plugins/404-to-301/<– bought this a few weeks back still in process of transferring , they have had bad press in the past so we want to fix it and also improve on the current version in terms of “auto 404 fix”.

In the follow-up, we mention that the spam from the 404 to 301 plugin was appearing on school websites in the UK and in particular, a UK based “escort” service called cityofescorts.co.uk had appeared on a school website. This is the code that was fetching the spam content for the 404 301 plugin:

And this is an obfuscated screenshot we included in our August 2016 post:

If you do a whois lookup on cityofescorts.co.uk, you discover that the owner is Mason Soiza.

The wpcdn.io server that was being used to serve spam to the “404 to 301” plugin is still up and running today. And if you visit the URL at wpcdn.io that was being used to serve up spam today, it serves up paydayloansnow.co.uk, which we have shown is another Soiza website.

Soiza says he bought 404 to 301. I reached out to the original plugin author, Joel James, to see if that is true. I haven’t been able to contact him.

Back in August of last year, Joel James wrote on this blog:

Did Joel James give Soiza commit access to his code? I would really like to hear more about what exactly happened. Soiza is now saying he purchased the plugin, but we don’t know if that was before or after the 404 to 301 debacle unfolded. Joel if you could comment here to help us understand the timeline, that would be really helpful.

What About the Other Plugins Soiza Bought?

In his email to Steph, Soiza mentions two other plugins. The notes to the right of each arrow are his:

https://wordpress.org/plugins/wp-slimstat/ <– managed by Dinohttps://wordpress.org/plugins/finance-calculator-with-application-form/ <– bought 2 days ago as we have a great concept on growing htis and really wanted the name “Finance Calculator” still needs the designer to jump on.

I have not been able to connect with the author of ‘WP Slimstat’.

I did manage to connect with Ciprian Popescu, author if the “Finance Calculator” plugin that Soiza says he purchased and Ciprian was kind enough to share the details with me.

Soiza contacted Ciprian early this year and used an alias of “Kevin Danna”. He expressed interest in buying Finance Calculator.

Soiza then purchased Finance Calculator for $600. During his communication with Ciprian, Mason Soiza appeared to make an error and he accidentally signed one of his emails from the Kevin Danna alias as ‘Mason’. Ciprian shared a screenshot with me:

Ciprian told me that for some reason, Soiza never updated the plugin after he purchased it. After learning about what happened with Display Widgets, he has taken back control of the Finance Calculator plugin, revoked Soiza’s access and confirmed that it is malware free. I received this message from him:

Hi Mark,

I can confirm that my plugin has not been tampered with. I have pushed an update to remove the ‘financecalculator’ committer, which was Mason Soiza. I am in the process of updating more stuff, such as rewriting some code for a smaller footprint; but the plugin is fully functional and malware-free.

My Communication With Soiza

We now have hard evidence, courtesy of Ciprian, that Soiza uses the “Kevin Danna” email address to communicate with people. We also know that the new owner of Display Widgets plugin was using that address on WordPress forums.

I communicated with “Kevin Danna” via email while researching our previous post. I asked about the “34 plugins” mentioned on the wpdevs.co.uk website that they owned. I also wanted to know if the malicious code in Display Widgets was there intentionally. This is the reply I received from “Kevin”. I published this in our previous post and left out the first few paragraphs. I’m including them this time to give you a sense of who this person is.

Hi Mark,

Just seen this email WOW!

My side of the story is, as you may/may not know. I got diagnosed with Lung Cancer a few months ago, so only have a few months/maybe a year left on this earth. So i sold up all my plugins to numerous people.

The Display Widgets plugin was sold to a company in California who made me sign a NDA. Probably due to the reasons you have highlighted. This is the only plugin i sold to this “guy”. He claims to have lots of “drupal” plugins and this was his first wordpress plugin. I bought this plugin for $15,000 and sold it for $20,000. They told me they was using it to advertise there toolbar, which i suppose you could use to search them up.

In regards to the 34 plugins and counting, that was at the peak of my career. I would buy plugins brand them up towards say a “web design” business on the /wp-admin/ and then sell the web design business along with the plugin with words like “Used by over 100,000+ websites” adding words like that etc inflated the price of the business by xyz and then i would simply flip it as quick as i could. WP Devs is now a defunct company for obvious reasons.

I apologise for any inconvenience i have caused in directly. I wish you the best of luck!.

Thanks

Kevin D

We know that Soiza bought the Display Widgets plugin from Steph and bought Ciprian’s Financial Calculator plugin. We know that Soiza communicates using the Kevin Danna email address. We also know that Mason Soiza owns the domains used for spamming in the “404 to 301” plugin. We also know that Steph sold her plugin for $15,000 to Mason Soiza. The above email is actually the first time I had heard the number mentioned. We also know that the wpdevs.co.uk website was only registered in April, so it’s not an old business from the “peak” of someone’s career.

So I’m going to go out on a limb here and say that Kevin Danna is actually Mason Soiza and based on Soiza’s public Facebook Profile, he is looking quite healthy.

Other Interests

According to a Whoisology search using Soiza’s email address, he owns the following domains:

onlineblackjackexpert.net (Active blackjack site)

0xd0d78w2.info (Listed with Google as serving up malware. See below)

Before Google blocked it, the 0xd0d78w2.info domain was serving up a site that claimed your computer was infected and tried to get you to call a “Microsoft” support line. It looked like this (courtesy of Archive.org):

Business Is Good

Soiza appears to live the high life. On his public Facebook profile, he posts that he attended the Monaco Grand Prix in May of this year.

Wrapping It Up

Our team has assembled a lot of data on Mason Soiza from public sources. He has interests in a wide range of online business that include payday loans, gambling and ‘escort’ services, among others.

He has been active on black hat forums and has been banned from “Black Hat World” (username LinkRocket) and from WickedFire.com (username MasonSoiza). Soiza is active on Reddit as IIRR and moderates a a subreddit called /r/paydayloansnowcouk.

At this point we have confirmed that Soiza purchased the Financial Calculator plugin and the Display Widgets plugin and we have established a financial trail. He added a backdoor to the Display Widgets WordPress plugin to allow himself unlimited publishing access to sites running the plugin.

We also know that Soiza was involved in the spam that originated from the “404 to 301” plugin which he says he bought, although in that case the author has not yet confirmed the sale of the plugin. His escort website and payday loans websites were spammed from the “404 to 301” plugin.

If you are contacted by “Kevin Danna” or “Mason Soiza” and are a plugin author, we advise you to avoid all contact.

As always I welcome your feedback in the comments.

Thanks and Credits

A big thanks to Steph Wells, original author of the Display Widgets plugin who provided the initial financial data we needed to follow the money. Also a huge thanks to Ciprian Popescu, author of the Financial Calculator plugin, who also shared transaction data with me and a screenshot that confirmed Soiza uses the Kevin Danna alias. Both plugin authors worked with me on very short notice, so thank you!!

Also a huge thanks to our team who dropped everything and worked to rapidly build up a profile of Soiza. I’ve mentioned their names on the blog before, but just about everyone pitched in on this post, so you can hit our About page to see who they are. Special thanks to Matt Barry who recognized the connection between Soiza and the “404 to 301” plugin during our research.

Nice work guys! I've been using your plugins since the day you released them, I'm a premium customer now, and I can't tell you how much your work means to the wordpress community - you've really skyrocketed your abilities over the past year or so and I recommend you to each and every person I know that works with wordpress.

This is like a thriller. Nice long read and totally worth It of your time. Am I in the wrong side of the law? I have webpages and my family has been living of what I made from my 9 local pages for many years but I don't have a Ferrari and surely I cannot go to places who charge You $16USD per cocktail. I am just wondering.

This should be reported (along with any unpublished information) to the "UK National Cyber Crime Unit" as noted by a David Sandilands below) .

As noted at the end of your article "...our team who dropped everything and worked to rapidly build up a profile of Soiza.", I'd have much rather have seen you take all the time you needed to work with the authorities to have “Mason Soiza” arrested and prosecuted for his actions rather than being "doxed" here on a blog post.

Once “Mason Soiza” was convicted, documenting that and then publishing that would make for a ripping post.

Instead, I'm disappointed and all I see is “Mason Soiza” has been given a heads up to go hide and from authorities for his crimes.

I think we did a pretty good job of capturing the docs that would be needed to prosecute him. We have a lot that remains unpublished dating back to when he was a teenager. Should Scotland Yard reach out, we'd be happy to work with them.

Great work on exposing a scammer. He and other similar low-life's will probably just learn to better cover their tracks in the future, but it is a great case study on what will likely become an increasing problem of shady operators acquiring or adopting legitimate and popular plugins and corrupting them to enable spamming and hacking of WordPress websites. Once again WordFence leads in the arena of cyber security.

Mark, I am so impressed that you have exposed this guy. In a world where people tend to let bad things happen because they don't think it affects them you have become a champion. As has been said throughout history, the only thing necessary for the triumph of evil is that good men do nothing and you are absolutely doing something to protect us!
I have several websites all running the free version of Wordfence. I maintain these for people free of profit and so could not commit to a premium version. However, because I value everything you do I would be happy to make a donation if that is possible. Please let me know.

Great read. If Mason thinks he's innocent you should be getting a call from his lawyers sometime soon. But something tells me you won't be getting that call. Let us know if he doesn't get in touch because that will confirm his guilt.

Wanting to be sure it is not the same slimstat plugin I've used on occasion in the past (its not), I went to the url for WP-Slimstat you give... The plugin was updated 17 hours ago, has 100,000+ active installs, a 4.8 review rating with 671 five stars, and 45 out of 45 resolved issues in last two months... The author seems to be unrelated to all of this...?

You don't mention this wp-slimstat but the one time I believe, as one purchased by Soiza...? Maybe some more needs to be said regarding this...? Distance all this from that plugin, if it is unrelated...?

Man, WHAT A STORY! I can't believe you really went that far to document this. You really did a great job! Also, this guy seems a bit too "exposed" for what he does, I mean, I would have expected that someone with this kind of "activity" to clean his footprints better, but as you point here, he's, well, almost everywhere with this name in clear. I guess it would come handy for the police :-)

We use SlimStat Analytics. Maybe you should contact the developer Jason Crouse and ask him if everything is ok. Mentioning his plugin and then not adequately checking if it has any relevance to this article is not a good idea.

This is HUGE!
I was so concentrated and exited while reading this.. same as I was watching the best crime - thriller movie:).
I remember as it was yesterday about "404 to 301 Plugin" and Joel James crying that he made a mistake... This isn't end.. soon I hope we will find the true story about "404 to 301 Plugin" and hopefully more plugins got bought by Mason.
Personal THANKS to plugin authors for the info provided.
GREAT job guys (and girls), waiting for more news!!!

One thing not clear from this is whether the Display Widgets Plugin is now free of this code or not. I have it on one client's site and it was updated to revert to the previous version 2.05. I then got a notification to update to 2.7 but it will not update to this and when I look at "view details" I see the following error message :-

Warning: call_user_func_array() expects parameter 1 to be a valid callback, function 'dfcg_load_scripts_footer' not found or invalid function name in /home2/don/public_html/wp-includes/class-wp-hook.php on line 298 There is nothing wrong with the WP-Includes code and it does not happen when looking at any other plugin's "view details" so clearly there still appears to be something wrong with the latest update. The prior version 2.05 works.

This is an outstanding job of sleuthing and informing the public. It does make me stop and wonder though. This process of purchasing a plugin and reworking it to include a backdoor is bothersome. It makes me wonder/be concerned about who is actually behind a 'useful' plugin and what their intentions are. Most people take a plugin generally for granted, and might potentially base their usage on the plugin based on reports from the web. If a party purchases a previously reliable plugin and secretly uses it to implant a bad door. They will pretty much keep this a secret (until they run into the Wordfence detectives! ). This nefarious usage could go on for a good while, until it is discovered, IF it is discovered. I see this as akin to the 'Trojan Horse' used ages ago. If they cannot batter the gates down, they let you opt to bring their weapon into your site, by your own accord.

Other WordPress 'news' sites can take lessons from this excellent writeup of information that is genuinely important for WordPress owners to know. This is the kind of investigative news I would pay a subscription price to read. There's quite a bit of investigating that needs to be done indeed! Lots of questions being asked that aren't being answered. Thank you for your piece. I'll bet you had fun following the clues! I know I had fun reading this. Thank you for helping our clients and us stay safe!

Thank you so much for this thorough piece of investigative journalism! We're living in times that a lot of articles online - even from mainstream news sites - don't follow the rules of journalism: fact-checking, following up with sources, and asking for comments from those being written about, etc. so kudos on a job well done to expose the shoddy dealings of this person.

Wow! Amazing story! You guys are awesome, as always! I am so grateful for the work you do, and for going the extra mile in cybersecurity! I don't know of any company like yours who takes a genuine interest in protecting others or who goes to such extraordinary lengths to do such thorough investigations. You are earning ironclad trust with your customers!!! Thank you so very much for all that you do and keep up the EXCELLENT WORK! Truly jaw-dropping...

Thank you for this info, it is so deep and never imagine this kind of thing is happened. anyway wordfence help me to protect my website from hackers, I setup auto block user to sign in using invalid username and most of them from Rusia. I am still using the free version as I can't afford to upgrade.
Thank you.

Out of morbid curiosity, I tried to look at his facebook link - he (or facebook) has already taken it down! No other facebook pages with his name. Doesn't appear he has a fb page under Kevin Danna either.

Thank you for your research.
It appears he is running in some ways. We'll have to watch for activity
as I get a sense that he doesn't care what damage is left behind.
The character does not seem to be smart enough to run a business.
It appears to be a sham.
Wordfence provides a tremendous service.

This seems to just be a symptom of a bigger issue of poor policies on the part of WordPress.org that probably goes beyond just Mason Soiza.

The details for the majority of plugins don't list who the current maintainer is or when it changes hands. The changelog for the plugin does not give any indication of it every having been taken down for violation of WordPress policies. The plugin retained it 90% five-star review status with no indication any bad behavior ever having been discovered between June through September.

So, given how little WordPress did for months to encourage community involvement to self-police known bad behavior of the plugin, I find it really troubling the attitude being dished out by Jan Dembowski at https://blog.dembowski.net/

In a blog post titled "WordPress Is About Responsibility," he seems to blame WordPress users for not being responsible enough and excuse WP support forum administrators since they are merely unpaid volunteers. He provides as "solutions" that there is WP Site Care and WordPress Meetups, but he provides no proof that involving either of those would have caught the malicious behavior. Again, while WP was aware enough of something violating the rules to have taken the plugin down back on June 22nd, there is no indication of that in the changelog. In fact, rather than state that download of 38MB of PHP code from an external site was the problem, the changelog contains a willfully misleading claim the issue was about downloading 50MB of data from MaxMind. So, what would have alerted WP Site Care or a WordPress Meetup member that the plugin needed a re-review since it otherwise held a perfect track record up to then?

The worst part about the Jan Dembowski's attitude/rant is it goes against how the WordPress project is marketed. At front and center of WordPress.org is "Meet WordPress: WordPress is open source software you can use to create a beautiful website, blog, or app." His blog post seems to indicate it really should say "Meet WordPress: WordPress is open source software [with the help of a technically competent individual that] you can use to create a beautiful website, blog, or app." Regardless of how Dembowski wants the mission statement of WordPress.org to require users to take the responsibility, that isn't what is stated and doesn't excuse forum administrators putting a chilling effect on security reports from people like David Law. Regardless of how much the community tries to take responsibility itself, if they are told to shut up then eventually those that are trying to do the right thing will just give up trying. Also saying the forum administrator performed those actions for free is not helpful. There is still a cost to the community regardless.

Bottom line: who the current plugin owner is and take-down history need to be more transparent! Any attitude that end-user responsibility can replace that is just offensively misguided.

I have reported his online pharmacy company to both the UK pharmacy regulator and medicines regulator. If he is involved in cyber crime then he is not a fit and proper person to handle sensitive medical records.

Lets not forget what this actually is... a fascinating insight into the SEO underworld. This guy went straight for the jugular, highjacking thousands of websites by injecting spam content into them with contextual anchor links back to https://www.paydayloansnow.co.uk.

Google search spam team enemy #1.

If we check Majestic link analysis tool we can see he has links on highly authoritative site, including Government .gov and .edu sites even NASA:
spaceflightsystems.grc.nasa.gov
morriscountynj.gov
cce.qld.edu.au
teca-print.com

Some links are showing as being deleted on 12th / 13th September but wayback machine shows him in action - https://web.archive.org/web/20170801063611/https://morriscountynj.gov/

If guys like Mason Soiza can just buy a plugin and release an update with a backdoor, is wordpress safe at all anymore? WordPress have to take notice and be proactive in the defence of online criminals.

Like the others commenting here, I found this to be an interesting read, and think you did a great job of ferreting out the information. I do have one negative comment to make though. It seems odd that in the first post, the day before this one, it said at the end,

"I would also ask you to not start any witch hunts. I’m sure some folks are angry about what transpired here, but things happen..."

And then the next day, this guy's entire life is exposed for the world to see. I mean, he deserves it, no doubt. But it almost sounds like you wanted to reserve the witch hunt for yourself.

I'm probably over-reacting, and there was probably no underlying weird connection between the "don't start a witch hunt" request, and the subsequent self-started witch hunt, but it definitely made me say "hmmmm".

I don't have a problem with you witch hunting malicious actors. It's what we do all day long in information security.

My concern was that the community would go after the WordPress plugin repository maintainers and the forum moderators. That happened in August of last year when we reported the "404 to 301" debacle and it created much unhappiness and additional work on their part. So I was kindly requesting that our community refrain from doing that. It looks like we managed to avoid that this time and other news outlets like Bleeping Computer were kind enough to echo our request.

I don't think that the WordFence team wanted to reserve the great reveal for themselves. They had the data and research supporting their findings that other people did not have. Rather than dumping their findings at one time, they went through a vetting process that secured their story so they could not be accused of libel or trolling or defamation of character. UK laws on these issues are much stricter than those in the US.
And Mark appropriately put out the 'no witch hunt' comment because he didn't want to accuse someone before he had definitive proof. This is not doxxing, Mason Soiza is a criminal and he needs to be exposed, jailed, fined, and maybe his Ferrari sold and the proceeds donated to do good works in the world?
Good job Mark & Wordfence team, I love your product and am a faithful user. Wordfence is the first plugin I add on every Wordpress site.

Thanks Jennifer. Yes, the posts did get published in real-time. We never had any intention of turning this into a series and didn't know where the investigation would take us when we did the first post.

The author of Slimstat Analytics, Jason, has answered a related question here hours ago: https://wordpress.org/support/topic/issues-unrelated/#post-9496649
I hope your article will be updated soon, he says he´s in contact already. Seeing he´s pretty active in supporting his plugin on wordpress.org, I´m not sure why it was so hard to contact him, if necessary, right there in support forum as other users did after reading this article here ....

good morning! I'm one of the two team members behind Slimstat. My job is to offer support for our product both on http://support.wp-slimstat.com and on the official support forum over at WP.com. You can imagine my surprise this morning when I opened my support mailbox, as I usually do every morning, and I found many emails from alarmed users mentioning this article.

I'm surprised that, while you did a great job at tracing the whereabouts of that other person, you did not consider the consequences of mentioning WP Slimstat WITHOUT checking with us first. As you can understand, this will be a big hit for our image and reputation. I would like you to post an addendum to your article to do some damage control, as people might not bother to read my comment. As you will see on our support forum and by looking at all our reviews, we strive to stand behind our product, and although we cannot go to places that sell drinks at $16 a pop, we feel like we are contributing to improving the WordPress ecosystem, and that is worth much more than money.

Please note: we are the only committers to the WP repository, and you can rest assured that our software is safe to use and doesn't include any malicious code.

I would like you to kindly remove any reference to our software as soon as possible, since it's becoming a big concern for our users. Please don't hurt our fragile business model. This is not what we deserve after ELEVEN years maintaining Slimstat.

The only mention in our post of Slimstat is in the context of Soiza claiming he purchased it.

What I do know is that Soiza appears to be a pathological liar.

I should also point out that we are merely reporting the facts.

I need a few items of information from you.

1. I need proof that you are not Soiza.

2. Once we have established that, I need to know if you sold your plugin.

3. If you did not sell your plugin, I'd like to know if you were contacted by Soiza and what the nature of the communication was.

As you can tell, two other plugin authors have worked closely with me and we have managed to rebuild their credibility and the credibility of their plugins very quickly through transparency. If you're happy to work with me then we can do the same.

The alternative is that we have no data we can work with, merely the claims that I received from you this morning via email.

Unfortunately you can't simply demand that I put content on our blog. You're going to have to work with me to help us both establish what the facts are and once I feel we know what those are with a high degree of confidence, we can report them.

And do we need to be concerned about the WP-Slimstat (AKA, Slimstat Analytics) plugin in the interim? Have you guys analyzed / audited it?

We use it, and I'd like to be sure we're not in some manner potentially compromised with spam or backdoors, etc. From earlier it sounded like it perhaps wasn't targeted like the others. just want to make sure.

You and your team have done some amazing work here and it is so very comforting to know that I am a user/believer of your plugin. Thanks for this incredible and almost unbelievable investigative reporting.

I'm extremely curious as to the control and viability of the plugin "wp-slimstats" as I use that on most of my 80+ WP sites. I'm waiting with bated breath for some news on that one.

Also, I have to say that the comments on this post are almost as intriguing and interesting as the full story... what a whirlwind of excitement this is!

Thanks again for being the ethical, quality company you are that is continuously looking after the best interests of your customers and the WP public in general.

I used to regularly use this plugin (before the change in ownership). While developing a site a few months ago I noticed the plugin was delisted from the plugins directory.

I did some investigation and found information about the spammy links.

However I view this as a major problem with the plugins directory. If they delist a plugin for security reasons THE PAGE SHOULD STAY UP IN THE DIRECTORY WITH A NOTICE/WARNING TO USERS!!!!!!, as well as display a notice in the wordpress dashboard/plugins page letting users know the same.

The way things work now is the plugin simply disappears. I have developed over 100 sites using the original version of the plugin.

Thanks for this brilliant article exposing these horrendous activities

As a Brit, and as someone who used the Display Widget plugin on a client's website who feels cheated and abused (though I am not aware of any bad incidents occurring through my sites) I felt obligated to try to report this to the National Fraud Intelligence Bureau at http://www.actionfraud.police.uk.

However, as I went through the long reporting form answering the questions, I thought that I would not be the appropriate person to report this. It really needs to be someone affected by a crime or the person who has first hand collected evidence of a crime. All I could have done is linked to this post and I don't think that is enough for the report.

I understand the reluctance to initiate a report and to wait to be contacted by British authorities.

I really hope, however, that somebody is able to bring this person to the attention of the British police. He seems like an altogether odious person who will most likely go on to find other ways of abusing people unless he is stopped and brought to account by the law.

Perhaps, if there is somebody out there in the British mainstream IT press, or someone who has contacts there, and reads this article, they would know better how to bring this matter to the attention of the British legal system.

Whether or not that happens, long may this person's name be associated through this site with his nefarious deeds (at least until he shows some remorse and evidence of a change of heart).

In that regard, I would like people to link to this article, preferably using this person's name or business names in the link text, so that whenever his name or business is searched for, this page comes up as the first result. Hopefully, then, people will be warned off doing any business with him again.

We've been debating a move for the majority of our clients to one security plugin, and Wordfence has obviously been on the table... Seeing the amount of effort you all put into your work, and into informing the WordPress community as well, is really really impressive.

Safe to say I'm tabling the discussion and buying a Wordfence license now. Thanks so much for all the hard work! You're a damn inspiration.

I have this plugin installed!!! I just read about this should the plugin be deleted? the plugin is useful to me but if it poses a risk then I will delete it I have wordfence installed but don't recall getting any warning about it but then again I don't read all the emails newsletters from WF.

Hi have to say, I did laugh when I read some of the blackhat forum posts from this guy.
Telling Rand Fishkin he knows nothing about SEO and all the aftermath, but I sure hope he loses everything from his ill-gotten gains.

From a developer living in the same area and always striving to help clients and keep them on the right side of the law when they suggest some dubious marketing techniques, I find it disgusting to see the life he is living by ruining the lives of others.

Here's wishing karma hits him straight in the face and he ends up a guest at her Majesties pleasure.

To be honest I used to work in Lead Generation industry and quit few years ago as competitors had no ethics. There were few 'significant players' who were making lots of money using similar methods, playing hard ball. Even big companies you know from TV advertising hired similar hotshots.. can give names but comparison websites. The most hacked plugins were bough or developed and code was injected in pretty the same time to produce them mlns of links, from high pr sites or edu sites.. (education sites :) have 'high authority' from SEO poin of view). Because of lead prices and high conversions for PDL this was one of the popular niche. Then sites would be 'burned' after 2 weaks in average. Then they would hijack traffic from people websites using headers and excluding robots... Anyway, it's long story. The bottom line is to check plugins if you can, possibly manually. Often social sharing plugins are targeted, analytics related because it's pretty easy to hide the code in there..
So if you run site make sure you update site but be extra careful with plugins, see change log at least and use security plugin... ie. Wordfence. Also check your logs time to time, take effort to learn basics.

Re consequences - there is plenty of places where guy can sell his leads and believe me often lead buyers don't care or pretend don't know where the leads are coming from. The right route would be complain to IFA authorities but this is also often long way and useless.
It's quick money on these and you need to have no ethics if you want to win in popular niche.

TBH I'm surprised that these methods still work after couple of years.

I've often thought for a long time that the very most popular WordPress plug-ins need to somehow be insulated from things like these. Perhaps Automattic should have a top-tier of developers and plug-ins that must practice x, y and z to be included on a preferational list of some kinds. 'Go to' plug-ins need to be protected.

This has been a good read and I want to chime in on 2 points. Please forgive me, I'm about to break my own rule of "Comments (and forum posts) are not your blog." 700 plus words. Sheesh.

First point, disclosure.

You did great detective work. While I think it would have been more prudent to withhold this post, this is your site and you did the work. Releasing this information was your call and I honestly don't fault you for that.

This scammer and his ilk are like "It's over 9000!" sock puppets and I really don't like those. Good job. Raises coffee mug in salute*

I say prudent because I think this package should have been wrapped up and reported to law enforcement as part of legal discovery. IANAL but those that know, know that several laws almost certainly have been broken by this scammer. Delivering this discovery without publicly disclosing it is what security companies do all the time.

Months later you do get to publicly disclose it and your participation when charges are filed by the appropriate prosecution. You get serious security street cred that way.

That way is not sexy, it's not good marketing but it is responsible and Very Bad People™ get charged. Hopefully. That sort of long term thinking really does protect the innocent users and that's the end goal.

Reporting it in a blog post like this is the online equivalent of catch and release.

It's not for law enforcement to contact Wordfence. You know that's not how it works. I'm also aware that you know the process, the how and the who to contact to report this criminal activity.

BUT! Again, you did the work and you get to report it on your site as you see fit. Seriously, good work and congratulations.

Second point: I want to address Ben's comment above. It's based on some misunderstandings.

I'm not WordPress. I'm not on the plugins team, I'm on the Support Team. The plugins team works their tuckus off and they've a much bigger job.

(This comment and long essay represents just my opinion only and not any representative of any group I am part of. I'd hope that's apparent but here we are.)

My personal site represents my opinions only. For someone to follow me from the forums, leave a comment picking a fight with me about this plugin situation on a post about user responsibility is silly. Someone followed me from the forms and I deleted the comment on my site.

Months ago, someone raised a privacy problem with this plugin in the forums. That was looked at by the plugins team and at that time it was determined that that wasn't a violation of the plugin guidelines. Those guidelines are basically an Acceptable Use Policy (AUP) for being allowed to host your code on WordPress.

Before anyone loses it in reply to this, that privacy problem was NOT the malicious back door code. Different problem and holding that up and saying "See? See?" just mis-represents what happened back then. Mark's timeline covers that, read it. It's a good read.

With one or two exceptions, all of WordPress.org is staffed by unpaid volunteers. That's not an excuse, that's not "blame", that's how it is. There are over 50,000 plugins to review. Do a little math, it's statistically likely that this will happen again.

What's remarkable is that it doesn't happen more often.

Please don't @ me for that comment. The plugins team works hard for WordPress users and effectively. Is it perfect? Of course not. Nothing involving real human beings ever is.

Drinks coffee

Hey, it's fine when users get indignant and very angry about what happened. This event with this plugin Sucks Wind Loudly all around. But if you're a WordPress user please consider getting involved in ways that work.

Just saying "how little WordPress did (they did a lot BTW)" or "I can't believe his attitude (on his personal site)" isn't doing anything useful. Go to a Wordcamp, go to a meetup (online or in person), suggest ideas, provide feedback. Get ready to do the work.

Or as I ended off on my blog post: "Don’t accept blame for what happens to your WordPress site. Take responsibility instead." That also applies to anyones participation in our swell community. Problems are made by people, they're also solved by other people. Let's work together and out a way to improve the communication all around that works and is practical.

It would be neat if plugin authors could pay a fee to a reputable web security company (like Wordfence, Securi or someone) to review their code and give them a badge or rating on Wordpress.org/ plugin download page.

A unique / separate security rating system at Wordpress.org would help.

You overlooked the racehorse, jointly owned with his father Joe Soiza who is (or was) also a director of at least one of Mason's companies. This looks like a family business, and I don't think Mason is the brains of the outfit. He just seems to like the things that large amounts of money can buy. Perhaps dabbling in fake pharma, gambling (casinos were mentioned) and unsecured loans - very high rates of interest, but all perfectly legal - helps pay the bills.

Well he (not his father) owns that property which his company Soiza Limited is registered to (Jubilee Cottage), which he bought for a fat £777k in December 2016. So he can't be doing too badly himself.

According to my boyfriend who trained at the same gym, they own a fleet of high end sports cars.
Lamborghinis, Ferraris, Mercedes and more in the space of a couple of years . Rather like a rag to riches success story! Sickens you to think how hard you have to work in Seo when being honest.

I think this is one of the best exposures I have seen after many years of dealing with online fraud. Fabulous tracking all this down. These criminals often try to hide however and have aliases and fake profiles that can be woken at any time and while you can't see his obvious profiles anymore he has not shut shop and run, and he has merely hidden them for now and will wake them briefly to keep them alive. It is absolutely certain he is up and running again and business continues as usual. Scammers never cease their fund raising activities and education and awareness, such as shown above, is always the solution.